Celebrity Apple Hack: What You Can Do to Deter Attacks

Oscar winner Jennifer Lawrence was among more than a dozen female celebrities whose nude photographs were leaked this weekend after what Apple called a “very targeted attack” into their cloud storage accounts.

Apple denied that its iCloud or Find My iPhone systems were breached, seeming to address reports over the weekend that the invasion involved a bug in the company’s cloud systems that allowed hackers entry by taking an unlimited number of password guesses until hitting the correct one. Apple said certain celebrity accounts were compromised by “a very targeted attack on user names, passwords and security questions.”

However the hack occurred, iCloud is a just another branded name for cloud storage, and there is no such thing as hacker-proof cloud storage. Some people might not even realize that automated backup and syncing of devices means uploading data — potentially sensitive stuff like photos — to a remote server on the Internet.

If you have an iCloud account, or any cloud-storage account, you can just as easily be the target of an attack. Here are some tips to make it tougher for unsavory people to get at what you’ve stored — knowingly or not — in the cloud.

Don’t Use the Same Password: If you have many online accounts, you should have many passwords. If you’re using one password for your Apple, Google, Amazon, Microsoft, Facebook, Twitter and whatever-else accounts, you’re giving the equivalent of a skeleton key to someone who figures out that one special password. One trick is to come up with a complex password, and then make a portion of it unique for each account.

Strengthen Your Passwords: Adding a couple of numbers and an exclamation point to your password will make it tougher for hackers to guess it by using a “brute force” attack, which involves repeatedly guessing combinations (usually through an automated program) until the correct password is found. Even if you have a strong password with uppercase letters and symbols in the mix, multiple passwords are key.

Also, if you are using “security questions” that get asked when you try to retrieve a lost password, make sure they are obscure. (You might even consider lying, if you can remember that you lied.) Some questions involve easy-to-obtain info like your mom’s maiden name or your dad’s middle name.

Video: How to Keep Your Personal and Business Data Safe

Understand and Use Two-Factor Authentication: It is absolutely critical that you turn on two-factor authentication — sometimes called two-step verification — wherever it is available. (That’s just about every major Web service like Facebook and Twitter, but mysteriously not all of them. So make sure you check.)

We wrote a guide earlier this year for how to turn it on at 11 of the most popular online services, but here’s a refresher: Two-factor authentication involves a normal login password plus a special one-time code that you usually receive via an email or text message. If someone tries to log into your account without your permission, you’ll get that secondary code sent your way — a pretty good red flag for you and deterrent to the hacker.

Consider a Password Manager: Trying to remember a lot of unique, complex passwords and juggling two-factor codes can be cumbersome. The slog is worth it but using an online password manager can make it easier. WSJ columnist Geoffrey Fowler has more than 150 different logins and he’s tested the best options out there — Dashlane, LastPass, 1Password and PasswordBox. Password managers can hide all of your different logins behind one password that only you know, and the best solutions never transmit your master password over the Internet.

Get Control of Automated Backups: One serious step is to turn off automatic backups. Many services such as iCloud and Google’s accounts for Android users include regular backups. The convenience is obvious—every app you download, every website you visit, every photo you snap is automatically saved to the cloud. If you lose your device, you can download everything from the cloud and pick up right where you left off on a new phone or tablet. But all this seamless syncing might mean you don’t even realize what you are uploading to cloud — sensitive photos, important financial data or any other files you’d rather keep private.

Turning off automatic backups robs you of the convenience of the cloud. But you get control: You can choose when you want to save data to the cloud and not include files you don’t want copied to a company’s remote servers. If you still want to hold on to that private data, you can copy them to a laptop’s hard drive or an external hard drive — both of which you can encrypt and protect with yet another password.